[Freeipa-users] cannot add posix group or user

Cox, Jason JCOX15 at harris.com
Wed Apr 19 20:19:03 UTC 2017 

Hi all,

I had to reinstall my IPA setup, so I'm using 4.4 and am learning the newer domain levels and topology features.
I've installed 3 servers.
I promoted one of the replicas to master and demoted the original master to replica according to the documentation.
I ran into an issue with the original master no longer replicating, so I performed an ipa-server-install -uninstall and removed the host/server from IPA.

I re-setup the replica using ipa-client-install and then ipa-replica-install, and had no errors reported in the output.
I then went into Web UI and setup replication agreements using the topology graph page between the new replica and the previous replica (the master/new replica agreements being setup by the replica install script).

I then attempted to add a posix group account and got an operational error message. This caused ldap to crash on the server I was interfacing with.
I performed an 'ipactl restart' on the affected server and attempted again with the same issue.
I tried adding a non-posix group and it was successful.

I found the dirsrv logs and see the error 'dna-plugin - dna_pre_op: no more values available!!' which lead me to https://www.redhat.com/archives/freeipa-users/2014-February/msg00247.html

Performing the ldapserch I see:
  dnaMaxValue is 1100
  dnaNextValue is 1101
  dnaThreshold is 500

I also did 'ipa idrange-find', which shows:

---------------
1 range matched
---------------
  Range name: MYDOMAIN.COM_id_range
  First Posix ID of the range: 1946000000
  Number of IDs in the range: 200000
  Range type: local domain range
----------------------------
Number of entries returned 1
----------------------------


So now my question is what do I need to change to fix the issue?
I can do the ldapmodify to adjust the dnaMaxValue, but I don't know what I should be adjusting the idrange to?
I'd like to keep the idrange the same and just adjust the dnaMaxValue, so would I need to change dnaMaxValue to 200000?


Thanks,
Jason

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170419/36d0fbd6/attachment.htm>

More information about the Freeipa-users mailing list